Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger

Marten Gajda <marten@dmfs.org> Fri, 03 June 2016 09:38 UTC

Return-Path: <marten@dmfs.org>
X-Original-To: webfinger@ietfa.amsl.com
Delivered-To: webfinger@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B14C912D65D for <webfinger@ietfa.amsl.com>; Fri, 3 Jun 2016 02:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dmfs.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Z7VpsObw9hj for <webfinger@ietfa.amsl.com>; Fri, 3 Jun 2016 02:38:21 -0700 (PDT)
Received: from mailrelay2.public.one.com (mailrelay2.public.one.com [91.198.169.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC5C812D64B for <webfinger@ietf.org>; Fri, 3 Jun 2016 02:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmfs.org; s=20140924; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=JYKllgvu+WV4+/lUvqXJ7KpIps6GY1w+CKM7b7ElW54=; b=EVGHkgPMpHV1YRVsF/fgHvw/lysbAiHuN0LzfC0cqQtsNZZnRuIkmOx16nmlVi9BKNd4jFCBseE3u UNz3QSz6iTOTl29RzlYBMjSH+a7MWA2MbIlKuyGAE9ivCJuFpWeEHuazXhHdY5AiBV0NC+BtBtgrg5 c5Yo7oE511qovPtM=
X-HalOne-Cookie: 70c01d17fc65b8a2f32119af0007ff6faadb69d3
X-HalOne-ID: e705d87f-296e-11e6-8278-b82a72d03b9b
Received: from smtp.dmfs.org (unknown [79.240.231.213]) by smtpfilter2.public.one.com (Halon Mail Gateway) with ESMTPSA for <webfinger@ietf.org>; Fri, 3 Jun 2016 09:38:17 +0000 (UTC)
Received: from localhost.localdomain (p5DDA907C.dip0.t-ipconnect.de [93.218.144.124]) by smtp.dmfs.org (Postfix) with ESMTPSA id 292712B1 for <webfinger@ietf.org>; Fri, 3 Jun 2016 11:34:18 +0200 (CEST)
Message-ID: <57515008.4020003@dmfs.org>
Date: Fri, 03 Jun 2016 11:38:16 +0200
From: Marten Gajda <marten@dmfs.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: webfinger@ietf.org <webfinger@ietf.org>
References: <20160603004328.12103.qmail@ary.lan>
In-Reply-To: <20160603004328.12103.qmail@ary.lan>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/webfinger/pzLYf-cHfxw3swoEAx8FtgOeveo>
Subject: Re: [webfinger] [apps-discuss] Mail client configuration via WebFinger
X-BeenThere: webfinger@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of the Webfinger protocol proposal in the Applications Area <webfinger.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webfinger>, <mailto:webfinger-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webfinger/>
List-Post: <mailto:webfinger@ietf.org>
List-Help: <mailto:webfinger-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webfinger>, <mailto:webfinger-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 09:38:24 -0000

Hi John,

good question. I see a couple of advantages over RFC 6186 (and at least
some of these have led to the development of the current draft).

# user specific configuration

The draft we're talking about allows a service provider to return a user
specific configuration file. Some example use cases are

 * premium services can be included for premium users only, the client
of a "free user" would not attempt to set up a service that it has no
access to
 * user specific endpoints - consider a company with an office in Europe
and an office in the US. All email addresses may share the same domain,
say `example.com`, but the European users actually access IMAP under
`imap.eu.example.com` and the US users access IMAP under
`imap.us.example.com`. A configuration document can be smart enough to
return the correct endpoint for each user, while SRV can't do that.

# one document to rule them all

A service configuration document contains information about all services
a service provider offers. You don't need to guess which services might
be there. Also, the service configuration client doesn't even have to
know how to handle all the services. Ideally the configuration client
would run on system level and dispatch the setup of each service found
in the configuration document to the respective service handlers which
are registered with the system.

# additional information
 
A service configuration document allows to integrate additional
information like

 * OAuth2 scopes that are required to access a specific service
 * a link to an account management page
 * support/operator contact information

# easier to integrate

## for clients

Doing an SRV lookup is not well supported by some (or many) of the
existing platforms & frameworks. Many Frameworks provide methods to
resolve domains back and forth, but other record types are often not
supported out of the box.
We're developing Android clients for CalDAV & CardDAV and to do an SRV
lookup we would have to integrate a 3rd party DNS library. Of course
that 3rd party library should support DNSSEC, otherwise you can't trust
the result of the SRV lookup.

The draft we're talking about uses HTTP based technology, which is well
supported in a secure manner by pretty much every platform/framework.

## for services

Setting up DNS records is not an issue for large service providers,
though it can be a problem for smaller installations if your hosting
service doesn't give you such control over your DNS settings.
Setting up Webfinger and a service configuration document can be quite
trivial. In simple cases you can get away with a few static files on
your server. In other cases a simple PHP script might solve this.

# works cross domain (at least in theory)

Technology like OpenID Connect allows to separate the identity provider
from the actual service provider. So my email provider might not be the
same as my calendar provider, but both use the same identity provider
for authorization. My calendar client should be able to discover my
calendars, even though my user id has a completely different domain part.

Services like webfist.org can make this even more versatile and gives
users full control over their service configuration document, even if
their email provider doesn't support it.


That's it for now. There may be other good reasons to favor a service
configuration document over SRV records.


Cheers,

Marten






Am 03.06.2016 um 02:43 schrieb John Levine:
> If I may ask an obvious question, how much better in practice is this
> likely to be than RFC 6186?  I realize that 6186 is somewhat
> inflexible and requires that the address or the local-part be the
> login credential, but it is my impression that the vast majority of
> mail servers are set up that way anyway.
>
> R's,
> John
>
> _______________________________________________
> webfinger mailing list
> webfinger@ietf.org
> https://www.ietf.org/mailman/listinfo/webfinger

-- 
Marten Gajda
CEO

dmfs GmbH
Schandauer Stra├če 34
01309 Dresden
GERMANY

phone: +49 177 4427167
email: marten@dmfs.org

Managing Director: Marten Gajda
Registered address: Dresden
Registered No.: AG Dresden HRB 34881
VAT Reg. No.: DE303248743